Authentication Bypass Vulnerability in miniOrange Social Login Plugin for WordPress
CVE-2026-12761

9.8CRITICAL

What is CVE-2026-12761?

The miniOrange Social Login and Register plugin for WordPress reveals a significant security flaw wherein the Profile Completion flow fails to adequately validate email addresses supplied through the 'email_field' POST parameter. This oversight allows attackers to impersonate any user by entering an arbitrary email linked to an OAuth provider. Furthermore, the method send_otp_token() exposes vulnerable information, enabling unauthorized parties to generate and crack an OTP offline. With access to a predictable OTP space and a static customer key, attackers can swiftly log in as any user—potentially gaining administrator privileges. This vulnerability emphasizes the need for robust authentication mechanisms to protect user accounts.

Affected Version(s)

miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) 0 <= 7.7.0

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Supakiad S. (m3ez)
.